MGM and Caesars employees’ logins ‘hacked and traded’ on cybercriminal forums

As MGM Resorts International and the FBI investigate a crippling hack at one of the world’s largest casino operators, a tantalising clue has appeared on an underground forum for buying and selling stolen credentials.

On September 1, operators of a Telegram channel called Spider Logs, run by cybercriminals who harvest and resell logins, passwords and other information from compromised computers, sold a data set that contained the credentials of a mid-level IT engineer at MGM, according to London-based Dynarisk, a cyber security company.

Another 95 MGM employees had their login credentials stolen and resold in the same data set, as did some at Caesars Entertainment, an MGM rival that disclosed in a Securities and Exchange Commission filing on Thursday that it too had been hacked in recent weeks.

The credentials for an employee working in the IT division at MGM or Caesars would be more likely to allow access to internal workings of the networks at the casino operator than those of, for instance, a front-desk hotel worker.

The possibility that the hackers gained access to MGM’s systems via stolen credentials could not be confirmed. But the presence of so many employee details on underground forums underlines the risk that large corporations like MGM face from the varied and constantly evolving methods that hackers use to gain access to networks.

“For such large and profitable companies like MGM and Caesars, they would have had the resources available to protect their data and customers,” said Andrew Martin, chief executive at Dynarisk. “They could have done things to prevent this breach that were relatively simple, including if they had been monitoring for these credentials being stolen and acted [promptly], the whole thing could have been prevented.”

The login and passwords in the data set were probably stolen from a computer infected with a malware called Redline, according to Dynarisk, which hides behind pirated copies of video games or other software. The MGM IT employee’s password for his company login was “K@sper99!” and a Caesars IT employee’s was “W@lmart1”.

Redline also steals and packages freshly stolen cookies, the tiny pieces of information that browsers use to identify frequent visitors to websites so that users do not have to enter their login details repeatedly.

A person claiming to represent a hacking group nicknamed Scattered Spider told the Financial Times on Thursday that it had carried out the breach at MGM, including trying to tamper with the casino resort’s slot machines.

The group is allegedly behind at least 100 attacks on major US corporations and is considered a major threat to western companies.

Its members, mostly English-speaking hackers from the US and Europe, are known to impersonate an employee they have studied over social media in phone calls to company help desks where they try to generate fresh passwords.

In this instance, the person claiming to represent Scattered Spider said it had also compromised an employee’s phone number, allowing it to reroute a text message containing a one time password to the hackers, instead of the employee.

The stolen passwords and logins were for a system called Okta, made by the eponymous identity management company based in San Francisco, whose software is used by thousands of businesses to verify their employees’ identity before granting access to internal company websites.

A dark web site tied to a group that Scattered Spider has sometimes worked with said on Friday that “MGM made the hasty decision to shut down each and every one of their Okta servers after learning we had been lurking on their Okta servers”.

“Although we cannot speak to the MGM event, we have seen social engineering attacks involving a threat actor calling an organisation’s help desk, impersonating an employee, and persuading the help desk to reset multi-factor authentication for a highly privileged account,” said a spokesperson for Okta, referring to the accounts of either senior employees at companies, or people working in the IT departments whose accounts would have greater access to the rest of the companies’ networks. 

Dynarisk’s Martin said more companies were at risk — other data sets he had seen traded recently included credentials for employees at more than 500 other companies, including those at Wells Fargo, WPP, Experian, Diageo, Wayfair, Epic Games and Adobe.

“More of these hacks are coming,” he said.